Sttor Documentation

Appearance

GCP Kubernetes Engine Clusters using the default network

Description

The default network has a pre-configured network configuration and automatically generates the following insecure firewall rules:

  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network. These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.

In addition, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses.

As a result, it is not possible to use Cloud VPN or VPC Network Peering with the default network. We recommend that a project should not have a default network to prevent use of default network. Based on organization security and networking requirements, the organization should create a new network and delete the default network.

Code Example

go
resource "google_project" "my_project" {
  name       = "My Project"
  project_id = "your-project-id"
  org_id     = "1234567"
+ auto_create_network   = false
}

Remediation

  • GCP Console To change the policy using the GCP Console, follow these steps:*

. Log in to the GCP Console at https://console.cloud.google.com.

. Navigate to https://console.cloud.google.com/networking/networks/list [VPC networks].

. Click the network named * default*.

. On the network detail page, click * EDIT*.

. Click * DELETE VPC NETWORK*.

. If needed, create a new network to replace the default network.

  • CLI Command*

For each Google Cloud Platform project:

. Delete the default network: `gcloud compute networks delete default`

. If needed, create a new network to replace it: `gcloud compute networks create & lt;network name>`

=== Fix - Buildtime

Terraform

  • Resource: google_project
  • Arguments: auto_create_network

Rule Details

FieldValue
IDIAC-0886
SeverityMEDIUM
IaC TypeTerraform
FrameworksTerraform, TerraformPlan
Checkov IDCKV_GCP_27

References

Copyright © 2026 Sttor